Networked visited by University of Michigan

[BinaryData]

So, I recently setup an FTP Server on my home network. I'm doing some messing around with programming and working on a updater for a friends game server.

 

Well, this happened. Someone care to explain why the heck the University of Michigan is accessing my network?

 

Tracing route to researchscan336.eecs.umich.edu [141.212.122.81]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     1 ms    <1 ms    <1 ms  66.172.101.1.nwinternet.com [66.172.101.1]
  3     1 ms     1 ms     1 ms  206.130.130.236.nwinternet.com [206.130.130.236]
  4     1 ms     1 ms     1 ms  206.130.137.57.nwinternet.com [206.130.137.57]
  5     6 ms    18 ms     5 ms  78.152.42.114
  6    24 ms    25 ms    24 ms  ae02.edge01.sjo01.us.as5580.net [78.152.34.9]
  7    25 ms    25 ms    25 ms  paix0.tr-cps.internet2.edu [198.32.176.128]
  8    33 ms    33 ms    33 ms  xe-0-0-0.80.rtr.losa.net.internet2.edu [64.57.20.124]
  9    45 ms    45 ms    45 ms  ae-2.80.rtr.salt.net.internet2.edu [64.57.20.145]
 10    69 ms    69 ms    69 ms  ae-2.80.rtr.kans.net.internet2.edu [64.57.20.147]
 11    72 ms    69 ms    69 ms  ae-0.80.rtr.chic.net.internet2.edu [64.57.20.149]
 12    69 ms    70 ms    69 ms  ae-4.80.rtr.eqch.net.internet2.edu [64.57.20.151]
 13    91 ms    91 ms    91 ms  ae0x69.anar-um-arbl.mich.net [198.108.22.102]
 14    90 ms    93 ms    90 ms  l3-binarbl-merit-1.r-bin-arbl.umnet.umich.edu [192.12.80.66]

It died at the 15th hop mark, the rest were time outs.

 

I've editted out my IP Address / Login Credentials. But here's a log of it.

 

 

I'm way lost on this. Frankly, it bothers me a fair bit that it happened, I'm just not too sure how concerned I should be.

[sc302]

they are spamming the interwebs looking for ftp servers to bruteforce or try to login to.   You will get them from everywhere.

 

put that on an ip block list or secure your crap up some more. 

 

When I was hosting my own personal ftp, I would have them put on a block and ban list after 3 bad attempts. 

[c.grz]

Did you browse to that URL? It has the answers to your question:

 

http://researchscan336.eecs.umich.edu/

 

To be honest; the FQDN of the IP should of been a clue.

 

[BinaryData]

1 minute ago, sc302 said:

they are spamming the interwebs looking for ftp servers to bruteforce or try to login to.   You will get them from everywhere.

 

put that on an ip block list or secure your crap up some more. 

 

When I was hosting my own personal ftp, I would have them put on a block and ban list. 

Great. I'll end up doing that then. I was thinking I could just block all of their IPs, but I don't even know where to begin to get that info.

 

Well, I've enabled FTPS, now I'm looking into SFTP. I've got unencrypted ftp blocked. All passwords are 8+ Alphanumeric Special Character / Punctuation.

 

Whats their end goal? Just to find out what I've got on there?

[sc302]

The end goal of all of them, get into your stuff and exploit it by either downloading the contents or using it to host their own crap.   And sometimes it is just to say they did it. 

 

The end goal is really irrelevant.  You can group that all into normal internet chatter.

[c.grz]

Read the blurb at the other end of the URL, it's not malicious.

[BinaryData]

1 minute ago, c.grz said:

Did you browse to that URL? It has the answers to your question:

 

http://researchscan336.eecs.umich.edu/

 

No i didn't. I generally don't go to things I think might be bad.

 

Just now, sc302 said:

The end goal of all of them, get into your stuff and exploit it by either downloading the contents or using it to host their own crap. 

Figured as much. Well, I've changed ports. I'll have Windows Firewall deny that IP/block, I'll have my Router Firewall deny it. At that point I think I should be good.

[Circaflex]

Quote

Why am I receiving connection attempts from this machine?

These connections are part of an Internet-wide research study being conducted by computer scientists at the University of Michigan. The research involves making benign connection attempts to every public IP address. By measuring the entire public address space, we are able to analyze global patterns and trends in protocol deployment and security.

As part of this study, every public IP address receives a handful of packets per day on a selection of common ports. These consist of regular TCP connection attempts followed by RFC-compliant protocol handshakes with responsive hosts. We never attempt to exploit security problems, guess passwords, or change device configuration. We only receive data that is publicly visible to anyone who connects to a particular address and port.

Why are you collecting this data?

The data collected through these connections helps computer scientists study the deployment and configuration of network protocols and security technologies. For example, we use it to help web browser makers and other software developers understand the impact of proposed protocol changes and security improvements. In some cases, we are able to detect vulnerable systems and report the problems to the system operators. This data also powers real-time reports on the security of the web, such as the Heartbleed Bug Health Report.

This data has been the foundation of more than a dozen peer-reviewed research publications, including:

• Analysis of the HTTPS Certificate Ecosystem
• Elliptic Curve Cryptography in Practice
• When Governments Hack Opponents: A Look at Actors and Technology
• Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
• ZMap: Fast Internet-wide Scanning and its Security Applications

Can I request that my server be excluded?

To have your host or network excluded from future scans conducted by the University of Michigan, please contact scan-admin@umich.edu with your IP address or CIDR block. Alternatively, you can configure your firewall to drop traffic from the subnets we use for scanning: 141.212.121.0/24 and 141.212.122.0/24.

This is what I found by visiting the link from earlier in the thread.

[sc302]

don't need to change the ports, just need to secure it better.  Perhaps something like only allowing a specific ip block instead of the entire internet instead of opening that port up, creating a vpn for them to use to be able to access your ftp.  There are a number of ways to do it where you don't obscure the ports...after all security through obscurity isn't really security.

[BinaryData]

2 minutes ago, Circaflex said:

This is what I found by visiting the link from earlier in the thread.

Yeah, I went to it after someone posted what it said. I make a habit of not clicking on things I don't know the source too. I ended up Googling it after I posted, which was about the same time they responded. Haha.

1 minute ago, sc302 said:

don't need to change the ports, just need to secure it better.  Perhaps something like only allowing a specific ip block instead of the entire internet instead of opening that port up, creating a vpn for them to use to be able to access your ftp.  There are a number of ways to do it where you don't obscure the ports...after all security through obscurity isn't really security.

Well, I've denied anyone without an account. No anonymous ftp, I've denied anything that isn't encrypted. I'll be setting up SFTP, if I can figure out how to do that. Last time I tried to setup SSH, I failed miserably, formatted and said screw it.

[EmuZombie]

While the answer is pretty much explained above, let me go into this deeper...

 

This is simply the nature of IPv4 internet.  It was developed without security in mind, back in a day when it was never imagined on a global scale nor the vast amount of speed and computing power available today.  There are only 3,706,452,992 public addresses available in for the entire world (also in that same sense, universe).  

 

It does not take much to scan the entire internet, going from one IP address to the next.  This happens on a daily basis from countless sources.  This is how computer worms can spread through non firewalled and unpatched systems with no human interaction.  All it takes is one computer to scan and infect, multiply that exponentially as more and more machines get infected and proceed to scan / infect on their own, you can see where this is going...

 

Another scenario, a "script kiddie" scans random IP blocks from home (most likely from his parent's basement) looking for open ports to later investigate in an attempt to take control of or find something of interest.  

 

A few years ago (it may still be, I am not sure) the most common port that is port scanned is 21.  Why?  Many ftp servers are left wide open with anonymous login and full write privileges.  They then serve as a dumping ground for whatever illegal files they want stored somewhere, this could be anything from a cam version of Star Wars, to something far far worse, like child porn.

 

These types of traffic are basically background internet noise.  If you want, set your firewall to log all incoming unsolicited traffic and by the end of the week you will have a log file of several hundred megabytes (if not gigabytes) of drive by port scan traffic.

 

This problem is the main reason firewalls exist.    By running a server and allowing all traffic through, you are basically leaving your door wide open for anyone to come inside and take a look around.  There is and never will be a such thing as a 100% secure server, but there are many ways you can make it less appealing. 

 

[binaryzero]

LOOOL.

 

1. Dont use port 21.

2. Firewall.

3. This happens all the time - used to port scan rah rah years ago, exploit some unpatched machines in JP and make FTP boxes out of em with glftpd. Fun times. 

 

[+BudMan]

If your wanting to run some sort of backup for your buddy I would look down access to your ftp port to their IP, or their netblock.

 

You ask about how to get a netblock for a specific IP..  One simple way is to just do a whois on the IP that hit you, that should tell you what block that IP is in, be it a /24 or /16, etc..

 

So for example in the IP that hit you falls to this

 

NetRange:       141.212.122.0 - 141.212.122.255
CIDR:           141.212.122.0/24

NetName:        UMICH-21025

 

this moves to a bigger network

 

NetRange:       141.212.0.0 - 141.212.255.255
CIDR:           141.212.0.0/16
NetName:        UMICH-2

 

So could just block the whole /16, they might have more networks..  But you can for sure see from the whois that they do own the whole /16

 

As also mentioned your going to see lots of traffic to 21, 22 (ssh) and telnet (23) are other common ones.  So as you see lots noise.  Here just today for those 3 common ports I see 143 hits sofar today..  I snipped it, but you see from all over the place..  Just noise your firewall should just drop them.

 

So when you open up a service like ftp that is so common, its best to filter who can hit it, since you have a known source - I would lock down the rule to your buddies IP.  Changing the ports not security, but could lower the log noise..  But lack of traffic in your logs might give you a false sense of security, as sc302 mentions obscurity is not security.  Depending on your firewall and ftp server software you can block IPs after so many failed attempts.

 

I don't allow anything into my network other than vpn, and serve up ntp to the pool.. But as you can see there are hits to my vpn port since I run it on 443 tcp so I know if there is internet where I am at I can get too it.  So you see firewall lets in all that traffic, but fails to work with vpn so they get nothing.  Openvpn doesn't even show any log in attempt so just someone look for a https server is all.  Noise   The hit I highlighted that was allowed was me coming in from work.

 

 

If you run a service to the public there is going to be lots of noise, which is why you need to make sure what you allow the public to see is secured as best as possible.

 

 

 

 

 

[binaryzero]

Start wearing your tin foil hat. 

[BinaryData]

37 minutes ago, Jared- said:

Start wearing your tin foil hat. 

Already got it on.

 

@BudMan Thank you for that explanation and pictures. It helped quite a bit. I honestly, didn't think that my little ole FTP Box would be sniffed so fast. It kind of freaked me out a bit. Here's what I'll do...

 

1. Leave the ports the same.

2. I'll enable IP Blocking for their school under the /16.

3. I'll look into running SFTP even more, can't seem to find a decent tutorial on this one, but I'll keep searching.

 

As for the VPN setup you have, I'm not sure I would even know where to begin. I'm trying to keep this as low maintenance as possible, and less of a headache for myself and the people accessing it. I mean, it took me a few hours to figure out how to setup passive mode on FileZilla's server. Yes, I hate FileZilla. I haven't done FTP related things since I was in High School and looked for trouble. As for Firewalls, I'm running the router Firewall, which I don't think does diddly, and I've disabled the Windows Firewall right now because it was giving me major headaches. I'm going to re-enable it, and filter the ports through. I'm going to look into running pfSense as well, though I'm not 100% sure about it.

[binaryzero]

Welcome to the internet.

[+BudMan]

Not sure you need to block them, they are doing a service are they not.. Scanning stuff for research..

 

As to running sftp, what OS.. Linux its on any distro out of the box..  You would then lock that down to public key auth only vs password auth..

 

As to the vpn, its really clickity clickity if you run pfsense as your firewall.

 

If you want to use ssh and sftp on a windows machine - pretty simple since they started releasing openssh port for windows

Grab your 32 or 64 bit flavor here https://github.com/PowerShell/Win32-OpenSSH/releases

 

There somewhat of a guide for setting up sftp

https://winscp.net/eng/docs/guide_windows_openssh_server

 

or you could use this version http://www.mls-software.com/opensshd.html

 

If you have any issues - just let me know and can throw together a simple walk through, takes all of a couple of minutes to setup

 

Here is a sftp transfer, etc..

 

 

I did have some problems with kitty (fork of putty) and using filezilla as sftp client didn't like something it would connect but directly listing was not full and transfers didn't work.  Most likely both getting confused with the server type being sent back, etc.  But the port comes with both a ssh and sftp cmd line client you could use on windows that works for sure..  And didn't have any problems with actual putty or winscp in the 5 minutes of testing I did..  I normally don't use windows for this sort of stuff.

 

note: be careful with winscp installer might like to install opencandy, I just use the portable version when needed..

 

 

 

[BinaryData]

I've been getting some nasty lag and connectivity issues since I started this. Downloads are failing, disconnecting from services, can't even stream Netflix. Torrents refuse to connect. I have no idea what in the heck is going on. I'm rollin' a 100 up/down connection, and I can't even watch Netflix. I've contacted my ISP, and they've seen a massive amount of requests hit my line. I can host things because I'm on a business class fiber line, but they suggested I shut down any incoming/hosted products.

 

Even shutting down the server, didn't seem to do anything. =/

[+BudMan]

What is your connection speed?  I don't see how 100Kbps inbound would do anything.. Are you seeing 100KB or Kb ??  Even 100KB shouldn't be an issue unless you have a very small pipe.. Its possible your router doesn't like all the sessions, did you remove the forward or just shutdown the server?  You should remove the forward so your router just drops the traffic vs trying to do something with it.

 

Its quite possible your ftp server got compromised, what was the password you used?  Complex and long I would hope!!  Once it was compromised yeah they would most likely start serving stuff off of it that would create lots of traffic to it..

 

I just don't get why you would do this from your home connection?  Why don't you just use your dreamhost account to do ftp, or your seedbox??

 

Other than your own personal access to your stuff, serving up stuff out of your home connection never a good idea if you ask me.  Your just taking away your own bandwidth for the big one..  If you think it was slow now with 100KB(b) what do you think it would be when your buddy was moving files to and from it?  Now think of your buddy - he has to live with what kind of upload speed do you have?  I am guessing your power cycle this all the time for software updates?  Do you ever have power outages, internet outages?  Its just much better to serve up stuff to the public from a place and service designed to do so - don't you work in a DC.. I would think you would understand this better than most..

[BinaryData]

I have a 100Mbit up/down, 95/95 is my actual speeds.

 

I took the actual FTP Server offline, it's still running just no FTP Requests.

- I'll close the ports after my bosses leave for the day.

 

FTP Password is 10 Alphanumeric, special character. The user accounts on it are 8 minimum with Capitals/Lowercase, numbers, and punctuation.

 

The drives only have my data on them, About 1.5GB is used for the partitions, which was there before I even added the FTP. I added about 22GB of Video files to it.

 

The reason why I'm doing this from home, and not the seedbox, is because the seedbox doesn't have the space for it. I have 1.2TB of space on mine, however with all the video files I have, even SD I'm pushing 6TB. Well, the files I'm hosting will only have data pushed when I'm asleep, which is morning time for the British people.

 

I do understand fairly well, but you've gotta work with what you have. I've already spent a lot of personal money on it, so I'm not wanting to spend anything more specifically for this (i.e. memory upgrades). I don't power cycle it too often, unless i absolutely need too. As for outages, I haven't had one in quite some time, I think it's been over a year on internet, maybe 2, and it's been at least 2 years since power outage. Last time it was someone hitting a pole a block away.

 

I did use StableBit as well, by the way. Storage Spaces refused to accept my HDDs, so i said screw it. I didn't want to screw around with Storage Spaces and find out 3 days later it still wouldn't work. $55 for all 3 products, not sure if I'm going to enable duplication yet, I need to get the last 3 drives and I'll be solid with 27TB of space, and I can enable duplication.

[+BudMan]

so you got their cloud product too.. What do you think??  As to duplication - you going to turn it on for everything or just specific folders/files..

 

The scanner actually evacuated one of my drives for me recently, didn't loose a thing that I can tell.. Walked into my computer room and click click click.. Was like oh ###### what failed..  I didn't get any alerts or anything, until I popped the clicking disk.. Then my phone went off that one of my drives was missing

 

I have to look closer into the alerts I have setup..  But was like ###### that sucks, but it was really old drive anyway..  Put it on a shelf, ordered a wd nas red 2tb to replace it - couple days later it showed up.  Popped it in added it to the pool.. The pool re-balanced.. Was like ok what did I loose..  I knew all my critical stuff (multiple backup even would of lost the whole pool) was there that was still there even after I pulled the disk since that was duplicated..  So I connected the old clicking drive to my pc if I could pull anything off of it..  It was toast, could read it.. Was showing up as 3.4GB or something..  But going through my library everything is there and fine..

 

I had seen it do this before,  But the drive didn't actually fail, and was like why was nothing on one of my disks in the pool.  But this time it seems it got the files off just before the failure.  Or maybe it had moved them off long time ago and I hadn't noticed?  But it doesn't seem to warn you if it does this??  Have to ask them about that.

 

Now that is what I call slick   This software and support just rock!! And price is just fantastic to boot..  It just blows away spaces from every angle I can think of that is for sure..

 

If you have any questions on its use - just ask, happy to help been using it for few years now.. (Order date: May 23, 2012 6:52 AM CDT)  make sure you setup the alerting and the scanner!!  Keep meaning to play with the cloud piece, and thinking about adding a SSD to the pool as write cache to play with.  But I know that will just get me wanting to move to 10gig because the gig network is the bottleneck then.

 

 

[Circaflex]

i love stablebit, it has paid for itself a few times already on my server. cool thing about duplication is you dont need to do it for all folders, if there is data there you dont necessarily care about you can exclude it from duplication. This can help save you some storage space.

[Noir Angel]

In the future, just bare in mind that if you operate ANY server connected to the internet, people will try and scan it for vulnerabilities, it's inevitable.

Secure your server properly, always keep your software up to date, use strong passwords, and ensure that full write access is not available to anyone without passworded access. It's nothing to worry about as long as you take steps to keep yourself secure.

[BinaryData]

1 hour ago, BudMan said:

so you got their cloud product too.. What do you think??  As to duplication - you going to turn it on for everything or just specific folders/files..

 

The scanner actually evacuated one of my drives for me recently, didn't loose a thing that I can tell.. Walked into my computer room and click click click.. Was like oh ###### what failed..  I didn't get any alerts or anything, until I popped the clicking disk.. Then my phone went off that one of my drives was missing

 

I have to look closer into the alerts I have setup..  But was like ###### that sucks, but it was really old drive anyway..  Put it on a shelf, ordered a wd nas red 2tb to replace it - couple days later it showed up.  Popped it in added it to the pool.. The pool re-balanced.. Was like ok what did I loose..  I knew all my critical stuff (multiple backup even would of lost the whole pool) was there that was still there even after I pulled the disk since that was duplicated..  So I connected the old clicking drive to my pc if I could pull anything off of it..  It was toast, could read it.. Was showing up as 3.4GB or something..  But going through my library everything is there and fine..

 

I had seen it do this before,  But the drive didn't actually fail, and was like why was nothing on one of my disks in the pool.  But this time it seems it got the files off just before the failure.  Or maybe it had moved them off long time ago and I hadn't noticed?  But it doesn't seem to warn you if it does this??  Have to ask them about that.

 

Now that is what I call slick   This software and support just rock!! And price is just fantastic to boot..  It just blows away spaces from every angle I can think of that is for sure..

 

If you have any questions on its use - just ask, happy to help been using it for few years now.. (Order date: May 23, 2012 6:52 AM CDT)  make sure you setup the alerting and the scanner!!  Keep meaning to play with the cloud piece, and thinking about adding a SSD to the pool as write cache to play with.  But I know that will just get me wanting to move to 10gig because the gig network is the bottleneck then.

 

 

I don't like the Cloud Product. You're quite limited on what you can do. I have the Amazon Cloud Service, which I can't use with it. AWS is something I'd have to purchase separately. So, instead, I'm going to write a nifty script to move any new files I add to the Pool, to the ACS. That'll fix the duplication process.

 

I had wondered about RAID, and what redundancy it offered. What version do you have 2.x.x or 1.x.x? You have options in yours that I haven't seen, must be looking in the wrong section.

20 minutes ago, Circaflex said:

i love stablebit, it has paid for itself a few times already on my server. cool thing about duplication is you dont need to do it for all folders, if there is data there you dont necessarily care about you can exclude it from duplication. This can help save you some storage space.

Storage Space was what I was hoping for, it's like a cheap, ghetto redneck version of Stablebit. Being able to use however many drives as "spares" was nice. I'm glad I spent the money on Stablebit, I just wish I got a few serial keys, instead of just 1. $55 / key is insane =/

14 minutes ago, Javik said:

In the future, just bare in mind that if you operate ANY server connected to the internet, people will try and scan it for vulnerabilities, it's inevitable.

Secure your server properly, always keep your software up to date, use strong passwords, and ensure that full write access is not available to anyone without passworded access. It's nothing to worry about as long as you take steps to keep yourself secure.

Yeah, I knew i'd eventually be port scanned, however I wasn't expecting to be hit from tons of addresses. Since I posted this, I've had nearly 100 hits from different IPs, the Michigan one has hit me, even though I blocked the parent /16 address, including the two it lists on its site. BudMan and I are discussing firewall options, as well as a switch upgrade.

 

Also, you guys asked why I needed a ridiculous amount of space, well here's another reason, my garage was broken into again. Third time within 9 months. Air Compressor, 4 Ton Jack, 4x 6 Ton Axle Stands, bunch of tools, they even took my snow blower, lawn mower, rototiller, and a bunch of other stuff. They backed a truck down our drive way, loaded it up, and took off. Around $5,000 or so gone.

[binaryzero]

You don't have a ridiculous amount of space....

[+John Teacake]

We had this exact thing, I looked at the reverse DNS. Told them to remove our subnet. Simple as that. They were very helpful about it.